A Guide to GDPR for Businesses
As of May 25 2018, the EU’s new European General Data Protection Regulation (GDPR) came into force and could have an impact on your business. Find out more in our guide to GDPR for businesses.
GDPR came into effect on 25th May 2018, this new framework for data protection laws has been implemented to replace the 1995 data protection directive, which the UK Data Protection Act 1998 was based upon. The new Data Protection Act 2018 includes all the GDPR changes with only minor deviations (meaning that, as yet, Brexit is unlikely to trigger any material change).
What happens now?
It has been two years since the publication of GDPR in the EU Official Journal in May 2016, allowing for a preparation period for businesses and public bodies covered by the regulation to prepare for the changes. However, the fact that the deadline has now passed should not be a cause for panic. Whilst it is likely that many firms will not be entirely ready for GDPR, the enforcing UK Information Commissioner’s Office (ICO) have acknowledged this. It should be noted that the government only managed to pass the new act two days before it would come into force.
Elizabeth Denham, the information commissioner, has stated that the ICO will not be seeking to issue harsh penalties simply for the sake of making examples and will pursue a collaborative approach to enforcement. Whilst the ICO has the power to conduct criminal investigations and issue (potentially large) fines, these will only be used as a last resort where other means of ensuring compliance fail. Most importantly, demonstrating that your business has shown awareness and has taken steps to comply will lead to better treatment than if you do nothing or aim to work around the regulations. Given the scale of the new rules (GDPR is 88 pages with 99 articles, the UK legislation is 353 pages) it is perhaps inevitable that implementation and enforcement will be an evolving process over the next few years.
Given the significant congruence between the old and the new DPA, if you were subject to the 1998 legislation you will be subject to its 2018 equivalent. Likewise, if you have already been complying with the old DPA, it is likely that you are already meeting many GDPR principles. Nevertheless, the new regime is more extensive and simply assuming compliance is not advisable.
Brief overview of provisions
The GDPR covers all individuals, organisations, and companies who are either ‘controllers’ or ‘processors’ of “personal data” and/or “sensitive personal data”. Personal data is anything that allows a living person to be directly or indirectly identified (name, address, IP address). In a notable departure from the old DPA, this now includes “pseudonymised personal data” wherever the relevant pseudonymous data could identify a person. Sensitive personal data refers to ‘special categories’ of information, including data on genetics, religious and political views, and sexual orientation. For more information on definitions, see here.
One provision that everyone with an email address will be aware of the requirement to obtain consent in the form of a “positive opt-in” to process data in some situations. You can only process data if you have at least one of six lawful grounds. Consent is therefore required (and it is advisable to err on the side of caution where possible) other than in the following situations:
(i) Where processing data is necessary to fulfil a contract with the data subject.
(ii) Where processing data for a particular purpose is a legal requirement.
(iii) Where processing data will protect someone’s (not only the data subject’s) “vital interests (physical integrity or life).
(iv) Where processing data is needed to complete official functions or tasks in the public interest (covering public authorities).
(v) Where a private-sector organisation has a genuine and legitimate reason (notably, including commercial benefit) to process data, so long as negative effects to the data subject’s rights and freedoms do not outweigh this.
To ensure protection around automated data processing, data subjects have the right to not be subject to an automatic decision that produces a significant effect on them. Whilst there are exceptions an explanation must generally be provided for why a decision was made.
There are also provisions to ensure everyone has the right to get confirmation that an organisation has information about them and be able access to this and any supplemental information. In a change from the previous system where a “Subject Access Request” (SAR) allowed you to charge £10 to give data subjects what you held on them, requests are now free and the information must be provided within one month.
Individuals can also demand that their personal data be erased in certain circumstances, including where it is no longer necessary for the purpose it was collected, if consent is withdrawn, if there is no legitimate interest, and if it was unlawfully processed.
Where “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data could have a detrimental impact on those people, the data breach has to be reported to the ICO within 72 hours. The impacted data subjects must also be informed. “Detrimental impact” includes (but is not limited to) harm such as financial loss, confidentiality breaches, and damage to reputation.
Certain provisions only apply to certain companies. If you have more than 250 employees, you will need to document:
(i) why information is being collected and processed;
(ii) what information is held;
(iii) how long it is being held; and
(iv) what technical security measures are in place.
It is necessary to employ a data protection officer (DPO) if your company has “regular and systematic monitoring” of individuals on a large scale and/or processes a large amount of sensitive personal data. Whilst larger businesses and public authorities are likely to already have someone in this role, in many cases hiring a new member of staff will be necessary. The DPO has to report to senior management (to an extent that data processing must now be treated as a “boardroom issue”), monitor GDPR compliance, and be a point of contact for employees and customers.
As noted, the ICO can impose fines. Examples of finable offences include: failure to process data in the correct way; failure to have a DPO where necessary; and having a security breach. The ICO will determine the scale of the fine. Smaller offences can result in fines of whichever is greater of two per cent of a firm’s global turnover or up to €10 million. More serious offences can result in fines of whichever is greater of four per cent of global turnover or up to €20 million. By comparison, under the old DPA the ICO could only impose a maximum £500,000 penalty.
For further information, the ICO has provided a detailed 200-page guide (access here), a shorter 10-page document setting out 12 steps to take immediately (access here), and further resources including a self-assessment checklist (access here) and FAQs (access here).